Cryptographic Protocols (EIT ICT MSc) Dr. Levente Buttyán associate professor BME Hálózati Rendszerek és Szolgáltatások Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu, buttyan@crysys.hu
Neighbor discovery many wireless networking mechanisms require that the nodes be aware of their neighborhood a simple neighbor discovery protocol: every node broadcasts a neighbor discovery request each node that hear the request responds with a neighbor discovery reply messages carry node identifiers neighboring nodes discover each other s ID an adversary may try to thwart the execution of the protocol prevent two neighbors to discover each other by jamming create a neighbor relationship between far-away nodes by spoofing neighbor discovery messages (can be prevented by message authentication techniques) by installing a wormhole (cannot be prevented by cryptographic techniques alone) Buttyán Levente, BME HIT 2
3 What is a wormhole? a wormhole is an out-of-band connection, controlled by the adversary, between two physical locations in the network the adversary installs radio transceivers at both ends of the wormhole it transfers packets (possibly selectively) received from the network at one end of the wormhole to the other end via the out-of-band connection, and re-injects the packets there into the network notes: the adversary s transceivers are not regular nodes (no node is compromised by the adversary) adversary doesn t need to understand what it tunnels (e.g., encrypted packets can also be tunneled through the wormhole) it is easy to mount a wormhole, but it may have devastating effects on routing
4 Effects of a wormhole at the data link layer: distorted network topology y x y x y x (a) (b) (c) y x y x y x (d) at the network layer: routing protocols may choose routes that contain wormhole links typically those routes appear to be shorter flooding based routing protocols (e.g., DSR, Ariadne) may not be able to discover other routes but only through the wormhole adversary can then monitor traffic or drop packets (DoS) (e) (f)
5 Wormholes in another context access control system: gate equipped with contactless smart card reader contactless smart card wormhole contactless smart card emulator fast connection smart card reader emulator user may be far away from the building
6 Classification of detection methods centralized mechanisms data collected from the local neighborhood of every node are sent to a central entity based on the received data, a model of the entire network is constructed the central entity tries to detect inconsistencies (potential indicators of wormholes) in this model can be used in sensor networks, where the base station can play the role of the central entity decentralized mechanisms each node constructs a model of its own neighborhood using locally collected data each node tries to detect inconsistencies on its own advantage: no need for a central entity (fits well some applications) disadvantage: nodes need to be more complex
7 Statistical wormhole detection each node reports its list of believed neighbors to the base station the base station reconstructs the connectivity graph (model) a wormhole always increases the number of edges in the connectivity graph this increase may change the properties of the connectivity graph in a detectable way (anomaly) detection can be based on statistical hypothesis testing methods (e.g. the c 2 -test)
Examples a wormhole that creates many new edges may increase the number of neighbors of the affected nodes distribution of node degrees will be distorted 35 number of nodes 30 25 20 15 10 5 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 node degree a wormhole is usually a shortcut that decreases the length of the shortest paths in the network distribution of the length of the shortest paths will be distorted number of shortest paths 5000 4500 4000 3500 3000 2500 2000 1500 1000 500 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 path length Buttyán Levente, BME HIT 8
9 Multi-dimensional scaling the nodes not only report their lists of neighbors, but they also estimate (inaccurately) their distances to their neighbors connectivity information and estimated distances are input to a multidimensional scaling (MDS) algorithm the MDS algorithm tries to determine the possible position of each node in such a way that the constraints induced by the connectivity and the distance estimation data are respected the algorithm has a certain level of freedom in stretching the nodes within the error bounds of the distance estimation let us suppose that an adversary installed a wormhole in the network if the estimated distances between the affected nodes are much larger than the nodes communication range, then the wormhole is detected hence, the adversary must also falsify the distance estimation distances between far-away nodes become smaller this will result in a distortion in the virtual layout constructed by the MDS algorithm
10 Examples in 1D: a b c d e f g wormhole a g b f c e d connectivity graph reconstructed virtual layout in 2D: wormhole
Packet leashes packet leashes ensure that packets are not accepted too far from their source geographical leashes each node is equipped with a GPS receiver when sending a packet, the node puts its GPS position into the header the receiving node verifies if the sender is really within communication range temporal leashes nodes clocks are very tightly synchronized when sending a packet, the node puts a timestamp in the header the receiving node estimates the distance of the sender based on the elapsed time and the speed of light d est < v light (t rcv t snd + D t ) note: v light D t must be much smaller than the communication range Buttyán Levente, BME HIT 11
12 TESLA with Instant Key-disclosure idea: authentication delay of TESLA can be removed in an environment where the nodes clocks are tightly synchronized MAC packet K time at send er t s t mac t pkt t s + t mac + t pkt time at receiver t r t mac t r + t mac t s - D t + t mac + t pkt MAC packet K by the time the sender reveals the key, the receiver has already received the MAC security condition: t r < t s D t + t pkt note: D t must be very small or otherwise packets must be very long
13 Mutual Auth with Distance-bounding MAD allows precise distance estimation without synchronized clocks
Using anchors anchors are special nodes that know their own positions (GPS) there are only a few anchors randomly distributed among regular nodes two nodes consider each other neighbors only if they hear each other and they hear more than T common anchors anchors put their location data in their messages transmission range of anchors (R) is larger than that of regular nodes (r) wormholes are detected based on the following two principles: 1. a node should not hear two anchors that are 2R apart from each other 2. a node should not receive the same message twice from the same anchor Buttyán Levente, BME HIT 14
15 Principle 1 A x ' R D x A x 2R A O A O ' O x hears anchors in A x and in A O P 1 is the probability that it hears two anchors that are farther away from each other than 2R the probability that there is at least one anchor in an area of size S is (1-e -l*s ), where l* is the density of anchors P 1 (1-e -l*s x)(1-e -l*s O), where S x is the size of A x and S O is the size of A O this lower bound is maximum when S x = S O
16 Principle 2 A x D x R A xo O A O when x and O are closer than 2R, the discs A x and A O overlap if there is an anchor in the intersection A xo, then the messages of that anchor is heard twice by x first directly and then from transceiver D who receives it from O through the wormhole the probability P 2 of detection is equal to the probability that there is at least one anchor in A xo P 2 = 1-e -l*s xo
17 Summary on wormhole detection a wormhole is an out-of-band connection, controlled by the adversary, between two physical locations in the network a wormhole distorts the network topology and may have a profound effect on routing wormhole detection is a complicated problem centralized and decentralized approaches statistical wormhole detection wormhole detection by multi-dimensional scaling and visualization packet leashes distance bounding techniques anchor assisted wormhole detection many approaches are based on strong assumptions tight clock synchronization GPS equipped nodes wormhole detection is still an active research area